Phishing

University of Cincinnati asks its staff: Can you spot a phishing email?

There’s a new exam going around campus.
article cover

Just_super/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

While it’s not exactly a final exam, the University of Cincinnati is sending phishing tests to about 11,500 employees to assess vulnerability to one of education’s biggest cyberthreats.

“We’re going to provide a plan to leadership for following up, either providing instant feedback to a user when they click on a link…[or] providing more sophisticated or more thorough training for those repeat offenders,” said Matt Williams, executive director of information security and deputy CIO at UC.

Big phish, big pond. A campus holds thousands of students—and thousands of credentials sought by scammers. In March alone, Williams said UC blocked 727,000 phishing attacks.

Phishers lure students with emotional pulls, like the excitement of a job offer or the fear of being locked out of an account. (A recent maneuver targeting Duke University students tried both.)

With false payroll or insurance updates, too, hackers target university employees who have access to sensitive information.

“Staff are really the gatekeepers to all this data. They tend to have access into multiple systems, a lot of sensitive data where bad things can happen,” said Williams.

Test day. In early 2023, Williams and his team sent a phishing message of their own making—a test email to validate OneDrive data from a bogus-sounding sender. A link led to a pop-up request for a username and password.

According to the university CIO, it only took about six minutes for an employee to give up the personal info.

“We had users from executive leadership all the way down to the front line go ahead and be fooled and provide those credentials,” Williams told IT Brew.

So, now what? UC has other technical safeguards to address spam: A known list of malicious URLs, a browser-based toolbar for user reporting, and awareness notifications for large-scale attacks.

While there are wrong ways to conduct an in-house phishing expedition, Williams expects to conduct frequent tests in 2023 to track progress and present a case for when greater training is needed.

The threats to a university, after all, can begin with one bad click.

“Phishing is a major issue, but then it can lead to more serious things like ransomware,” said Craig Woolley, CIO at Louisiana State University, during a recent discussion led by the software company Splunk.

At least 44 universities and colleges in the US were hit by ransomware in 2022. Eight more attacks have already been reported in 2023.

No “magical key” has unlocked awareness for the campus, Williams told IT Brew. For now: it’s exam time at the University of Cincinnati, but far from a final one.

“We’re going to use this as an educational opportunity where if they actually click on a link, it hypothetically would pop up a message saying, ‘Hey, you just fell for a phishing attack. These are some of the indicators why. In the future: Please take caution of these things,’” said Williams.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.